How to auto renew certs that have created with domain control validation


#1

Hi,

I created a certificate using ./certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges http -d domain.myname

It needs a domain control verification as mentioned preferred challenge as HTTP. How can I automate the renewal process using auto-renew where it needs a domain validation every time. (first I don’t know it does the domain validation each time when renewing or not)

My domain is: domain.myname

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

You don’t use the --manual command, but rather one that will automate the process like --webroot. But since you’ve told us nothing about your environment (all those questions that you didn’t answer), it’s pretty hard to give any more specific suggestions.


#3

Ohh sorry…here about my env.

My web server is (include version): Apache/2.2.15 (Unix)
The operating system my web server runs on is (include version): CentOS release 6.9 (Final)
I can login to a root shell on my machine (yes or no, or I don’t know): yes


#4

I looked at webroot plugin. It works good when you have less domains as webroot can modify only on local server. But I have many domains and it’s hard to configure certbot on every local server. Is there any other way to do this renewals from the remote host by configuring cron job?

Thanks
Rajesh


#5

Well, usually you do want to configure Certbot on every server locally, because the certificate then also has to be installed locally.

https://github.com/srvrco/getssl is one such project that is focused on the use case of both performing validation (e.g. copying files to webroots) and installation from a remote/central host, but it is generally much less friendly than just using a local ACME client.

You can stick to Certbot and use manual auth hooks and deploy hooks to perform all of the remote actions, but in that case, getssl may just be a better choice!


#6

I fixed this issue by using --manual-auth-hook and --manual-cleanup-hook.

I have written two scripts - one is for the HTTP authentication - it copies the HTTP validation file on to remote host apache root server dir. and completes the authentication. Another one cleanup the files that created part of authentication.
I installed certbot on the local server and mentioned the remote hostname and server root directory. Here is the command I ran to do the HTTP validation remotely.

./certbot-auto certonly --server https://acme-v02.api.letsencrypt.org/directory --manual --email email@myemail.com --manual-public-ip-logging-ok --agree-tos --renew-by-default --preferred-challenges=http --manual-auth-hook _authentication-script-path_ --manual-cleanup-hook _cleanup-script-path_ -d domainname

Thanks for the responses.


Rajesh


#7

Hi all,

I have one more query. Right now I have created the SSL certs with HTTP validation. Going forward when I renewing the certs, it is required to do the domain validation again?


Rajesh


#8

Yes - when Certbot goes to renew, it will call your auth hooks automatically to perform domain validation again.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.